upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Count temporal problems with DNSSEC validation as attempts

Browse source 
After KeyTrap, the temporal DNSSEC were originally hard errors that
caused validation failures even if the records had another valid
signature.  This has been changed and the RRSIGs outside of the
inception and expiration time are not counted as hard errors.  However,
these errors are not even counted as validation attempts, so excessive
number of expired RRSIGs would cause some non-cryptograhic extra work
for the validator.  This has been fixed and the temporal errors are
correctly counted as validation attempts.

(cherry picked from commit 6ba57a1f0f)
This commit is contained in:
Ondřej Surý 2026-02-23 19:42:49 +01:00 committed by Ondřej Surý
parent 545ce3ae22
commit bd3c7d8014
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
1 changed files with 6 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/dns/validator.c
View file

@ -1452,6 +1452,8 @@ selfsigned_dnskey(dns_validator_t *val) {
dst_key_free(&dstkey);
return ISC_R_QUOTA;
}
consume_validation(val);
result = dns_dnssec_verify(
name, rdataset, dstkey, true,
val->view->maxbits, mctx, &sigrdata,
@ -1461,11 +1463,10 @@ selfsigned_dnskey(dns_validator_t *val) {
case DNS_R_SIGEXPIRED:
/*
* Temporal errors don't count towards
* max validations nor max fails.
* max fails.
*/
break;
case ISC_R_SUCCESS:
consume_validation(val);
/*
* The key with the REVOKE flag has
* self signed the RRset so it is no
@ -1474,7 +1475,6 @@ selfsigned_dnskey(dns_validator_t *val) {
dns_view_untrust(val->view, name, &key);
break;
default:
consume_validation(val);
if (over_max_fails(val)) {
dst_key_free(&dstkey);
return ISC_R_QUOTA;
@ -1515,7 +1515,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
isc_result_t result;
dns_fixedname_t fixed;
bool ignore = false;
dns_name_t *wild;
dns_name_t *wild = dns_fixedname_initname(&fixed);
if (DNS_TRUST_SECURE(val->rdataset->trust)) {
/*
@ -1528,7 +1528,7 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
if (over_max_validations(val)) {
return ISC_R_QUOTA;
}
wild = dns_fixedname_initname(&fixed);
consume_validation(val);
again:
result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
@ -1579,8 +1579,7 @@ again:
case DNS_R_SIGFUTURE:
case DNS_R_SIGEXPIRED:
/*
* Temporal errors don't count towards max validations nor max
* fails.
* Temporal errors don't count towards max fails.
*/
validator_addede(val,
result == DNS_R_SIGEXPIRED
@ -1589,10 +1588,8 @@ again:
NULL);
break;
case ISC_R_SUCCESS:
consume_validation(val);
break;
default:
consume_validation(val);
if (over_max_fails(val)) {
result = ISC_R_QUOTA;
break;